Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
21 May, 2022
Also known as
Arkei
Global rank
15
Week rank
13
Month rank
15
IOCs
27794

What is Vidar / Arkei malware?

Vidar is an information stealer trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems, take screenshots, steal cryptocurrency, and more.

General description of Vidar malware

Vidar is presumed to have originated in a Russian-speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another cyber threat that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

According to the Vidar trojan analysis, malware is written in the C++ programming language. Purchasing account grants the attacker access to a control panel where the cybercriminal can set up the malware to target particular information on the victims’ PC. Like Arkei, cybercriminals need to take precautions to secure the main payload themselves, using crypto or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days. Though they are steadily changing, a constant response is required.

Arkei is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information, including banking and credit card details. Based on the Vidar analysis, the malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar and perform Vidar analysis by themselves.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

According to the Vidar analysis, after the user downloads and runs a malicious file, it spawns a child process and collects information from the infected system. Often, after the information was collected, the malware kills and deletes itself from the system through a command-line command.

How to avoid infection by Vidar malware?

When spread via spam email campaigns like NanoCore or Agent Tesla, the Vidar stealer requires the user to download and run a malicious file to enter an active state and begin execution. Therefore, following some basic cybersecurity rules can ensure that users will stay safe from Arkei malware and the incident response team will work effectively.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar trojan, which uses these attack vectors to infect victims.

The distribution process of Vidar

According to the Vidar trojan analysis, Arkei is distributed through spam email campaigns as a malicious attachment, like other malware. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar infostealer targets users all over the world, except some ex-USSR countries, including Russia.

How to detect Vidar using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering" during your Vidar analysis. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a hazardous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including stealing select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures and incident response.

IOCs

IP addresses
188.114.96.10
208.95.112.1
148.251.234.93
148.251.234.83
5.101.153.227
23.202.231.167
23.202.231.167
192.185.90.132
52.60.87.163
204.11.56.48
172.105.162.84
162.241.60.208
162.241.60.208
107.189.11.124
172.105.103.207
194.195.211.98
199.59.242.150
92.205.11.231
198.54.126.118
108.167.158.96
Hashes
83658386973ae413a292f94c08cfe9d8cda632936f5c509110b0d27b3cab576e
35f377ad1b6647c04b0967c7825c96360fe035ae7b0fac43380a1cccc8969d85
b990b5f072914cba8f10f88932ce5be9feff9760f7a1a20d562f885915ca9423
5b934219ee24cde16acffda6640ac940cfd7f6bdcb93aad90919c89e84343727
95e67dec1a50e9a83fbb5b430c1b21b851e1f0aa8da0ee9efbece3085ad4c462
0163734f39ee011ebc32cd0c68b928288ba99d40fb705630ab0b1a257af1b8ed
03e727533b2ca8ed0dd10444ce7e95ef19334124fb3014fb090784b2371957b9
01c42408c4c635837b334ebdf2342d3d165676f1ccbe6a0a7128555083a15804
c39e87f36d1f3597a4d205c4f2d7801b8b1040e2b97391196a8a59a8a8788ad5
07ee7b94d6bea6279df2347f129ff9c5e519b18d1d6c1c3f9b78551d0a4879a1
7c2143421354c1c802d535b8820f0329d42765076e7cf9eb827ac4e64de1deec
907f0bc67233b6680624db9dbb1531a0c193e32e9f6e35aa9277d7bb4e10516d
c99b67473529b5fe6306bd1b4d8a515e8bd5feb173b84e0d43072e4dcac8ca1d
13cab02e8ce54c69866600f53f531eba9faaa18589f27043be01075c38f5e98e
b1d5b79d13f95a516abbcc486841c8659984e5135f1d9c74343dccd4390c3475
a6b4cc06efcfc4398ca3fdf20641e02940b6f4a527c867a49a810b26f889ce2d
6107e3ec5898ce2f80b04ee16b3a41107a0733339cded01cf8c5ade5fc105472
ba981a94852325debf0e4b478266f6efd8e4e9c5b149fd9ad277be0be5045768
a4a8a727875c7bc3b064ade4faafb9c200cb6667f07a998127dfc531a8e2b98e
e1dc24561aa3443603bbd9cd054481d4f4e8ea92314699a718bbbb71c8747391
Domains
svntrk.com
tzgl.org
kotob.top
wrrst.top
tbpws.top
securebiz.org
cdn.plyr.io
pnsqsv.com
bvmcdn.com
punosy.best
cdntechone.com
yqmxfz.com
www.ahmed-mohammed.online
the-beauty-guides.com
wallflowersandrakes.com
celebration-studio.com
static.indoleads.com
iplis.ru
tiny.one
htagzdownload.pw

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More